Smart Grid Cybersecurity: Planning for Chaos

Nov 21, 2018

Cybersecurity efforts have, by and large, neglected the newly built “smart” infrastructures in power grids. Emil Gurevitch, Security Engineer and Hacker, explains why they will be targeted, and what utilities should do to plan for the inevitable cyberattacks.

Smart grids will reduce emissions and create a wealth of savings for utilities, but the fast-paced adoption of new technology comes at the cost of increased risk of cyberattack.

Industrial control systems have been subject to such attacks, and significant effort has been put into securing them as a result. However, new, emerging technologies, such as smart meter infrastructures, have yet to be battle-tested, and utilities should expect them to inevitably have weaknesses.

Despite this, they are installed into the grid in an effort to keep companies competitive in the race to the smart grid, prioritizing increased operational efficiency and new business opportunities over potential bad actors.

You may think that comparing smart meters to, say, the SCADA for substation control, is a bit of a stretch. And, to some extent, you would be right. However, if you take an adversarial look at it, you will probably find, that they pose a much greater risk than expected.

Emil Gurevitch,

Security Architect and Hacker

For example, utilities use smart meters to remotely switch power off, they use smart meter data in mission-critical processes that go well beyond billing, and they make significant investments to upgrade the physical grid infrastructure with communications networks that bind it all together. Utilities expect these newly built computerized infrastructures to gain new capabilities over time via remote software updates, thus increasing the return of investment. From an attacker’s perspective, we are looking at a system that we can misuse to switch power off, a system we can manipulate to disrupt or derail a utility’s mission-critical processes, and a centrally managed system of millions of connected devices that we can take control of and reprogram.

In the EU, Member States are required to implement smart metering. The latest report from the Joint Research Centre says that Member States have committed to rolling out close to 200 million smart meters for electricity by 2020.

Efforts to secure these new technologies have largely focused on trying to prevent attacks from being successful. This is of course important, but new stories of cyber attacks hit the headlines almost every day, and it should be abundantly clear by now that not every attack can be blocked — utilities must therefore invest in early detection and incident response, especially for their newer technologies that may not be procured, developed, or operated with a bad actor in mind.

Making detection and response a core part your grid is crucial to protecting yourself and your consumers, and are cornerstones of creating a truly smart grid and city.

So, how can we ensure detection and response is effective?

A starting block is to work through a series of cyberattack scenarios and assess how your technology and processes hold up. Simulating them in practice and training for them can be a cost-effective way to find areas of improvement.

Cyberattack scenarios

Here are three example scenarios that utilities should consider, and ask themselves “how do we detect this early?” and “how do we recover?”.
They are described from the perspective of the attackers and are intentionally focused around the often-neglected smart meter system.
Keep in mind that these attack scenarios are likely to happen in parallel during a real cyberattack. For example, in the 2015 cyberattack on a power grid in Ukraine, attackers took control of substation control systems and switched off power, they bricked grid devices by sending malicious firmware updates, turned off backup power supplies, erased files on servers and workstations, and even flooded a call-center in an attempt to prevent people from learning about the incident. These individual attacks were centrally coordinated, and some of them were probably launched in parallel. This is how real cyberattacks work.

Hacker Scenario #1: Power Outages. We work for a nation state and our mission is to inflict power outages. We hack our way into the utility’s centralized smart meter control center, wait until the low-voltage grid is under high load, and then we start sending out disconnect commands to all the smart meters in the field. In the middle of the attack, we find that the utility has built-in limits on the number of disconnect commands you can launch from the central system within a given time period, but we find a way around it — like we always do — and remotely change the power thresholds on the meters instead, thus causing the meter to hit the limits immediately and disconnect.

It should be noted that, at the time of writing, there are no known successful cyberattacks misusing the smart meter system to switch power off in the grid.

However, like the flow of electricity, attackers follow the path of least resistance. They will go through the smart meter system to achieve their mission if that is easier than to breach the SCADA for substation control.

Hacker Scenario #2: Manipulating Business Processes. This time, our mission is to manipulate a series of processes that base their decisions on the information received from the smart meters in the field — such as signal and power quality levels used for fault detection and load balancing. We hack our way into a couple of carefully chosen, Internet-connected control nodes managing around 2,000 smart meters in total. We then start making slight but controlled changes in the information reported back to the utility, and ultimately achieve our mission.

Of course, smart meters are often not just used for billing consumers for the electricity they use. Smart meters are increasingly being used as grid sensors, monitoring the conditions of the edges of the grid. This is an extremely insightful data point from a Smart Grid perspective. By manipulating this data, attackers can directly change the view of a grid to their advantage.

Hacker Scenario #3: Stealing and Selling. We work for a criminal organization. The mission is to steal utility assets and sell them back to the utility (similar to a ransomware model). We are looking to cash out as much as possible, and as quickly as possible. So we go after what a utility relies on the most to operate: data and grid infrastructure. We outsource the development of new malware targeting smart meters, launch it, and take control of thousands of smart meters. Then we change their security keys, pushing the utility out of their own infrastructure. We also rent a classic ransomware service and launch a campaign against the utility’s central system, stealing large amounts of data. We then demand a ransom in return for the access to the hijacked smart meters in the field, as well as the data we stole. We then wait for the payout in ’Monero’ to come in.

Although ransomware campaigns are common, there are no known successful attempts at pushing a utility out of their own smart meters with ransomware. However, it is important to at least acknowledge that all of these new power grid infrastructures are essentially large, distributed networks of computers that can be hijacked for financial gains.

The need for early detection and response planning

So, how would your utility hold up in these scenarios? In an environment with increasingly resourceful attackers and an increased attack surface, do utilities have the right technology and tools to detect intrusions early?

Attacks can be significantly hampered by early detection and pre-planned disaster response playbooks. However, as of right now, solutions aren’t being applied quickly enough to newer grid technologies.

It’s like having smoke alarms in your house — you want to be able to prevent a big fire from happening by knowing there’s smoke. Utilities need to begin installing their cyber security smart metering ‘smoke’ detectors.